[Resolved] Turn off ModSecurity directives in htaccess

Discussion in 'Feedback/Feature Requests' started by IrPr, Feb 7, 2010.

  1. IrPr

    IrPr New Member

    Hi there,

    It seems that ModSecurity it could be disabled in htaccess using this directive:
    Code:
    SecFilterEngine Off
    Well, It means an attacker can easily bypass modsec rules using htaccess file
    Tested myself and it's possible to disable and bypass modsec rules by htaccess, and to me, its a very big security hole

    I found here that its possible to disable htaccess support for ModSecurity during compile:

    Now im asking for a feature to disable/enable ModSec rules support inside htaccess files to be implemented in LSWS admin console

    Regards.
    Last edited by a moderator: Oct 3, 2010
  2. mistwang

    mistwang LiteSpeed Staff

    add to our to do list.
  3. IrPr

    IrPr New Member

    Any update ?
  4. NiteWave

    NiteWave Administrator

    now in 4.0.17, mod_security directive in .htaccess can be disabled, configuration is at server level, in admin console. please download and test ... not formally release yet but may be soon.
  5. IrPr

    IrPr New Member

    Special thanks
    tested and its working properly

    Regards
  6. IrPr

    IrPr New Member

    Hi there

    I'm using apache/cPanel httpd.conf
    How to disable mod_security directives support in .htaccess ?
  7. NiteWave

    NiteWave Administrator

    tested on our cPanel box, the setting:

    admin console->Server->Request Filter->Disable .htaccess Override:Yes

    apply for virtual hosts defined in apache httpd.conf.
  8. IrPr

    IrPr New Member

    Great, works like a charm!

    Thanks in advance

Share This Page